As a pursuing programmer , It is necessary to understand the development trend of the industry and expand the computer knowledge reserve , In particular, some basic aspects of the computer , For example, this article will talk about computer network knowledge . This article will give you a detailed comb HTTPS Implementation principle of .
In recent years , With the improvement of security awareness of users and Internet enterprises and HTTPS The fall in cost ,HTTPS It has become more and more popular . Many Internet giants are pushing HTTPS, Like Google's Chrome Browser accessing HTTP The website will display unsafe reminders in the address bar , Wechat requires all small programs to use HTTPS Transfer protocol , Apple also requires all in App Store The application on the shelf must use HTTPS , Most of the mainstream websites at home and abroad have moved to HTTPS, so HTTPS Take the place of HTTP It's just a matter of time .
Said so much , What exactly is HTTPS？ It is associated with HTTP What are the advantages and disadvantages of comparison ？ What is the underlying implementation principle ？ Here are some answers for you , Let's take a look first HTTP The disadvantages of .
1、HTTP The biggest drawback of —— unsafe
HTTP The reason why HTTPS replace , The biggest reason is insecurity , As for why it's not safe , Look at the picture below and you can see it at a glance .
chart 1\. HTTP Data transfer process
The figure is visible ,HTTP In the process of transmitting data , All data is transmitted in clear text , There is no safety in nature , Especially some sensitive data , Such as user password and credit card information , Once acquired by a third party , The consequences are unimaginable . Someone here might say , I can encrypt sensitive data on the front page , such as MD5 Add salt and encrypt . It's too simple to think about it . First MD5 It's not an encryption algorithm , Its full name is Message Digest Algorithm MD5, Information digest algorithm , It's an irreversible hash algorithm , That is, through the front end MD5 The processed data cannot be recovered on the server side . Here's an example of a password , The front end passes the user's password through MD5 To deal with , And send the hash value to the server , The server couldn't recover the password , The hash value will be used directly to process the user request . So after the third party gets the hash value , You can bypass the front-end login page to access the server directly , Cause safety problems . in addition ,MD5 The security of the algorithm itself also has defects , Let's not talk about it here .
All in all MD5,SHA-1 Hash algorithms like this don't make HTTP Become safer . Want to let HTTP More secure , Only real encryption algorithms can be used , Because encryption algorithms can encrypt or restore data with a key , Just make sure that the key is not obtained by a third party , That will ensure the security of data transmission . And that's what HTTPS Solutions for , Now let's learn about the encryption algorithm .
2、 encryption algorithm
HTTPS The solution to the problem of data transmission security is to use encryption algorithm , Specifically, it's a hybrid encryption algorithm , That is to say, the mixed use of symmetric encryption and asymmetric encryption , It is necessary to understand the differences and advantages and disadvantages of these two encryption algorithms .
2.1 Symmetric encryption
Symmetric encryption , As the name suggests, both encryption and decryption use the same key , The common symmetric encryption algorithms are DES、3DES and AES etc. , Its advantages and disadvantages are as follows ：
- advantage ： Algorithm disclosure 、 A small amount of calculation 、 Fast encryption 、 High encryption efficiency , Suitable for encrypting large data .
- shortcoming ：
- Both parties need to use the same key , It's impossible to avoid the transmission of the key , The key cannot be guaranteed not to be intercepted in the process of transmission , So the security of symmetric encryption is not guaranteed .
- Every time a pair of users uses symmetric encryption algorithm , You need to use a unique key that no one else knows , This will lead to a sharp increase in the number of keys owned by both parties , Key management becomes a burden for both parties . Symmetric encryption algorithm is difficult to use in distributed network system , It's mainly because of the difficulty of key management , High use cost .
This paper does not introduce the specific encryption algorithm in detail , Interested students can refer to Symmetric encryption algorithm details , If the symmetric encryption algorithm is directly used in HTTP in , It will be the following effect ：
chart 2\. Symmetric encryption data transmission process
As you can see from the diagram , The encrypted data is random code in the transmission process , Even if intercepted by a third party , You can't decrypt data without a key , It also ensures the security of the data . But there's a fatal problem , That is, since both parties want to use the same key , Then one party must pass the key to the other party before transmitting the data , In this process, the key is likely to be intercepted , In this way, encrypted data can also be easily decrypted . So how to ensure the security of the key in the process of transmission ？ This is going to use asymmetric encryption .
2.2 Asymmetric encryption
Asymmetric encryption , seeing the name of a thing one thinks of its function , Encryption and decryption require two different keys ： Public key （public key） And a private key （private key）. Public key and private key are a pair , If you encrypt data with a public key , Only the corresponding private key can be used to decrypt ; If you encrypt data with a private key , Then only the corresponding public key can be decrypted . The basic process of secret information exchange by asymmetric encryption algorithm is ： Party A generates a pair of keys and publishes one of them as a public key ; Party B who obtains the public key encrypts the confidential information with the public key and then sends it to Party A ; Party A will use its private key to decrypt the encrypted information . If you don't understand public key and private key very well , Think of it as a key and a lock , Only you are the only one in the world who has this key , You can give the lock to someone else , Others can use this lock to lock up important things , And send it to you , Because you alone have the key , So only you can see what's locked up . The commonly used asymmetric encryption algorithm is RSA Algorithm , If you want to know more about it, please click here ：RSA The algorithm is explained in detail 、RSA Algorithm details 2 , Its advantages and disadvantages are as follows ：
- advantage ： Algorithm disclosure , Encryption and decryption use different keys , The private key does not need to be transmitted over the network , High security .
- shortcoming ： The amount of calculation is relatively large , Encryption and decryption are much slower than symmetric encryption .
Because of the strong security of asymmetric encryption , It can be used to solve the key leakage problem of symmetric encryption perfectly , The renderings are as follows ：
chart 3\. The client sends the key through asymmetric encryption KEY Send to the server
In the process , After the client gets the server's public key , Will generate a random code ( use KEY Express , This KEY It is the key used by both parties for symmetric encryption ), Then the client uses the public key to put KEY Encrypted and sent to the server , The server uses the private key to decrypt it , So both sides have the same key KEY, Then both sides use KEY Symmetric encryption of interactive data . In asymmetric encrypted transmission KEY In the process of , Even if a third party obtains the public key and encrypted KEY, It can't be cracked without a private key KEY ( The private key exists in the server , The risk of leakage is minimal ), This ensures the security of the next symmetric encryption data . And the flow chart above is just HTTPS The prototype of ,HTTPS It just combines the advantages of these two encryption algorithms , It not only ensures communication security , It also ensures data transmission efficiency .
3、HTTPS The principle,
Take a look at Wikipedia, right HTTPS The definition of
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, its predecessor, Secure Sockets Layer (SSL). The protocol is therefore also often referred to as HTTP over TLS, or HTTP over SSL.
HTTPS (Hypertext Transfer Protocol Secure) Is based on HTTP An extension of , For secure communication in computer networks , It has been widely used on the Internet . stay HTTPS in , The original HTTP The agreement will get TLS ( Secure transport layer protocol ) Or its predecessors SSL ( Secure socket layer ) The encryption . therefore HTTPS Also often referred to as HTTP over TLS or HTTP over SSL.
so HTTPS It's not a separate communication protocol , It's right HTTP An extension of , Communication security is guaranteed , The relationship between them is as follows ：
chart 4\. HTTP and HTTPS The relationship between
in other words HTTPS = HTTP + SSL / TLS.
Next is the most important HTTPS The principle explains , The old rule is to go first .
chart 5\. HTTPS encryption 、 Decrypt 、 Verification and data transmission process
It looks dazzling , Don't be afraid of , Listen to me carefully .HTTPS The whole communication process can be divided into two stages ： Certificate validation and data transfer phase , The data transmission stage can be divided into two stages: asymmetric encryption and symmetric encryption . The specific process is explained according to the serial number in the figure .
1. Client request HTTPS website , Then connect to server Of 443 port (HTTPS Default port , Be similar to HTTP Of 80 port ).
2. use HTTPS The protocol server must have a set of numbers CA (Certification Authority) certificate , Certificates are required to be applied for , And by a special digital certificate certification agency (CA) The electronic certificate issued after passing the very strict examination ( Of course, it's money , The higher the security level, the more expensive the price ). A private key and a public key are generated when a certificate is issued . The private key is saved by the server itself , Do not leak . The public key is attached to the certificate information , It can be made public . The certificate itself also comes with an electronic signature of the certificate , This signature is used to verify the integrity and authenticity of the certificate , It can prevent the certificate from being tampered with .
3. The server responds to client requests , Pass the certificate to the client , The certificate contains the public key and a lot of other information , For example, certification authority information , Company information, certificate validity, etc .Chrome The browser can click the lock sign in the address bar and then click the certificate to see the certificate details .
chart 6\. B standing CA certificate
4. The client resolves the certificate and validates it . If the certificate is not issued by a trusted authority , Or the domain name in the certificate is inconsistent with the actual domain name , Or the certificate has expired , A warning will be displayed to visitors , It's up to them to choose whether to continue to communicate . It looks like this ：
chart 7\. Browser security warning
If the certificate is OK , The client will retrieve the server's public key from the server certificate A. Then the client will generate a random code KEY, And use the public key A Encrypt it .
5. The client will encrypt the random code KEY Send to the server , As a key for later symmetric encryption .
6. The server is receiving random code KEY After that, the private key will be used B Decrypt it . After these steps , The client and server have finally established a secure connection , It solves the key leakage problem of symmetric encryption perfectly , Then you can communicate happily with symmetric encryption .
7. The server uses the key ( Random code KEY) Encrypt the data symmetrically and send it to the client , The client uses the same key ( Random code KEY) Decrypt data .
8. Both sides use symmetric encryption to happily transfer all data .
Okay , That's all HTTPS The principle of the theory is explained in detail , Such a beautiful picture with such a detailed process analysis , You can't make sense if you don't understand it. Ha ha .
Let's summarize HTTPS and HTTP And HTTPS The shortcomings of ：
HTTPS and HTTP The difference between ：
- The most important difference is security ,HTTP Plaintext transmission , The security of not encrypting data is poor .HTTPS (HTTP + SSL / TLS) The data transmission process is encrypted , Good security .
- Use HTTPS The agreement needs to be applied for CA certificate , Generally, there are fewer free certificates , So there is a certain cost . Certification authority such as ：Symantec、Comodo、DigiCert and GlobalSign etc. .
- HTTP Page response speed ratio HTTPS fast , It's easy to understand , Because of the addition of a layer of security , The process of establishing a connection is more complicated , And more data to be exchanged , It's hard to avoid affecting speed .
- because HTTPS It's built on SSL / TLS Above HTTP agreement , therefore , than HTTP More server resources .
- HTTPS and HTTP It USES a completely different connection , The ports are different , The former is 443, The latter is 80.
HTTPS The shortcomings of ：
- In the same network environment ,HTTPS comparison HTTP Both response time and power consumption have increased significantly .
- HTTPS There's a range of security , In a hacker attack 、 Server hijacking and other situations hardly work .
- Under the existing certificate mechanism , Man in the middle attacks are still possible .
- HTTPS Need more server resources , It can also lead to higher costs .
At the end
Welcome to my official account 【 Calm as a code 】, Massive Java Related articles , Learning materials will be updated in it , The sorted data will also be put in it .
Like what you write , Just pay attention ！ Focus , Neverlost , Continuous updating ！！！